"Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment," he says.

Coviello says that the company will replace SecurID tokens for 'customers with concentrated user bases typically focused on protecting intellectual property and corporate networks'. It is also offering to implement authentication strategies based on companies' individual risks for those with a large, dispersed user base, with the aim of protecting financial transactions.

"We will continue to work with all customers to assess their unique risk profiles and user populations and help them understand which options may be most effective and least disruptive to their business and their users," he says.

"Those sound rather like weasel-words to me. What is a 'concentrated user base'? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?" he says.

"And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don't have the same flaws as the old ones?"